Tips and FAQ: OAuth and remote apps for SharePoint

  • Article

This topic is now obsolete. See the links below to find where the content is now located.

Applies to: apps for SharePoint | Office 365 | SharePoint Server 2013

Note

The name "apps for SharePoint" is changing to "SharePoint Add-ins". During the transition, the documentation and the UI of some SharePoint products and Visual Studio tools might still use the term "apps for SharePoint". For details, see New name for apps for Office and SharePoint.

In this article
Retrieving app information
AppManifest.xml file
Web.config file
URLs and Secure Sockets Layer (SSL)
App redirect page
Redirect URIs
OAuth tokens
Permissions and permission request scopes
OAuth authorization policy types
Debugging
High-trust apps (server-to-server apps) on-premises
Additional OAuth-related issues
Social features
Additional resources

Retrieving app information

This content has been moved to Retrieve add-in registration and add-in principal information.

AppManifest.xml file

This content has been moved to:

What is the URL in the <StartPage> element?

This content has been moved to:

Explore the app manifest structure and the package of a SharePoint Add-in

StartPage Element

What are the elements and attributes of the AppManifest.xml file?

This content has been moved to Schema reference for manifests of apps for SharePoint

Web.config file

This content has been moved to Register SharePoint Add-ins 2013, especially the section Enter the registration values into the web.config and AppManifest.xml files.

What are the app settings of the Web.config file?

This content has been moved to Enter the registration values into the web.config and AppManifest.xml files.

URLs and Secure Sockets Layer (SSL)

This content has been moved to:

My web application has problems talking back to SharePoint. What should I check?

This content has been moved to:

What URLs should I hard-code into my app to point to my cloud server?

This content has been moved to:

Should I register the CNAME alias or the actual underlying URL that is hosting the app?

This content has been moved to:

I get the error "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." What should I do?

This content has been moved to https://msdn.microsoft.com/dn762438.

App redirect page

This content has been moved to Get a new context token.

What should I use the app redirect page for?

This content has been moved to Get a new context token.

How do I use an app redirect page to get the context token?

This content has been moved to Get a new context token.

How do I use the appredirect page in the URL?

This content has been moved to Get a new context token.

Redirect URIs

This content has been moved to Register SharePoint Add-ins 2013.

Do I need a redirect URI?

This content has been moved to Register SharePoint Add-ins 2013.

OAuth tokens

This content has been moved to:

What is a context token?

This content has been moved to Understand the structure and handling of context tokens.

What is an access token?

This content has been moved to Understand the handling of access tokens.

What is a refresh token?

This content has been moved to Understand the handling and caching of refresh tokens.

Should the context token string be stored in a cookie so that it can be used for other page requests directly from the provider-hosted app?

This content has been moved to Cache the context token or parts of it.

What is the cache key value made up of? How is it unique?

This content has been moved to Understand the cache key.

How do I retrieve the context token?

This content has been moved to Understand the structure and handling of context tokens.

What information does the context token contain?

This content has been moved to See an example of a context token.

What information does an access token contain?

This content has been moved to:

How do I calculate the exact time and date from the value of nbf and exp?

This content has been moved to Work with JWT time values.

I want to protect the svc for my apps from users who are not from SharePoint. I check the user’s legitimacy at the app's entry point (by creating ClientContext), but my WCF service can be called by anyone. Should I create ClientContext from a context token on every svc method call?

This content has been moved to Use the context token to limit access to only SharePoint users.

Is it okay to keep AppContext (obtained from a SharePoint POST request) as a hidden input field on the page?

This content has been moved to Cache the context token or parts of it.

How long is a refresh token valid?

This content has been moved to Understand the handling and caching of refresh tokens.

I store the access token and host URL in cookies so they can be used on other page requests. But the user took a break and the access token expired. What should I do?

This content has been moved to:

In what scenario should I discard an old unexpired refresh token that is still valid and use a new one?

This content has been moved to Understand the handling and caching of refresh tokens.

Permissions and permission request scopes

This content is in Add-in permissions in SharePoint 2013.

What are the permission request scopes and available rights for list, library content, and other features?

This content is now in Add-in permissions in SharePoint 2013.

OAuth authorization policy types

This content is in Add-in authorization policy types in SharePoint 2013.

What is the difference between the app-only policy and the user + app policy?

This content is in Add-in authorization policy types in SharePoint 2013.

Is there a way to grant or deny the right to launch an app?

This content is in Add-in permissions in SharePoint 2013.

Debugging

This content has been moved to:

Using Fiddler

This content has been moved to:

High-trust apps (server-to-server apps) on-premises

This content has been moved to Troubleshooting high-trust SharePoint Add-ins

I'm getting a 401 unauthorized error when running a high-trust app. What should I do?

This content has been moved to Troubleshooting high-trust SharePoint Add-ins.

How do I get a context token for a high-trust app?

This content has been moved to Create and use access tokens in provider-hosted high-trust SharePoint Add-ins.

This content has been moved to:

When trying to read a file using the HTTP DAV method, I get an error. What should I do?

This content has moved to Troubleshooting low-trust add-ins for SharePoint 2013.

Is there a way to forward OAuth authorization to other components in different domains, or to configure OAuth for multiple URIs?

Yes. See Forward the access token to backend systems.

Is the SharePoint 2013 principal value constant?

Yes. See See examples of access tokens in the ACS authorization system (especially table 1).

Is the app Id and app secret constant across all tenants for a given app?

Yes, if the app is registered in the Seller Dashboard; but if it is separately registered with each SharePoint tenancy or farm, it can have distinct IDs and secrets for each. In that case, it appears to be multiple apps to Microsoft Azure Access Control Service (ACS). See Register SharePoint Add-ins 2013.

Are realms unique?

Yes. See See examples of access tokens in the ACS authorization system (especially table 1) and Use the context token to get an access token.

How do I turn off the HTTPS requirement for OAuth during development?

This content has moved to https://msdn.microsoft.com/dn762438.

Social features

This content has moved to:

  1. Social and collaboration features in SharePoint 2013

  2. Add-in permissions in SharePoint 2013

How do I retrieve a user's identity and properties?

See Get user identity and properties in SharePoint 2013.

What is the usage for the different social features and permission request scopes?

This content is in https://msdn.microsoft.com/jj163864.

How do I get the user profile properties of people following me?

This content has been moved to https://msdn.microsoft.com/jj163182.